Answered by:

How do I stop a sub cert server from issuing any new certificates

Question

I have a enterprise subordinate root server that only has 3 certificates that are active. I would like to decommission it. I have read through the article on decommissioning as well as the 2008 certificate migration guide yet I not sure I understand
what stops a CA from issuing certificates. I have posted before and am trying to decide whether I want to migrate the enterprise root to 2008 or start over but since the enterprise subordinate only has 3 active certificates it would be easy to just
decommision it and create new issuing subordinate CAs on my 2008 R2 servers. I have stopped auto-enrollment in AD so I think the only way that the existing enterprise CA would issue a certifiacte would via a request to the CA. From
what I have read it seems that I need to extend the lifetime of the CRL, revoke the active certificates, and then issue a new CRL. I should then be able to follow through the balance of the process and decommission the CA, decommision the domain controller
the CS is running on, and then remove the server from the domain. But what actualy stops an installed CA from issuing certificates?

Answers

The easiest way is to remove all assigned templates from the CA. In the Certification Authority MMC snap-in select Certificate Templates folder and remove all templates. And you can leave CA in operational state to publish new CRLs. After that you can
start decomission process.

All replies

The easiest way is to remove all assigned templates from the CA. In the Certification Authority MMC snap-in select Certificate Templates folder and remove all templates. And you can leave CA in operational state to publish new CRLs. After that you can
start decomission process.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.